Authentication

It is important part to decide how to authenticate vpn connections.
Thanks to PAM, you can choose almost any user authentication with OVPN.
I've selected to use certificate based authentication without dealing
with real users creation and password caring.

Read Making your own CA using openssl
how to make your own CA and certificates. You can use any certificates,
for example, get them from AD. You will need the following certificates
before continue with OVPN configuration:

cacert.pem - CA certificate

server.pem - OpenVPN server's certificate signed by this CA.

unlocked_server_key.pem - OpenVPN private part of certificate, unlocked from passphrase.

User_cert.pem - User's certificate signed by same CA. Used at client side.

It is good idea to make your own CA only for OVPN usage, then you can fully control it.

Put all files at /etc/pki/CA/ (default place for CA on Fedora) or /etc/ssl/
(I likes this slightly more). Make all of them owned by root with 644 mode.
The private unlocked key have to be 400 mode. Apply to them selinux policy:

Bridge mode configuration

Bridge mode is most flexible VPN configuration.
You should not play with any route tables, nor on server, neither on client side.
A VPN client will get IP address from internal subnet and will work directly.

However, there is a lot of limitations in implementation.
Bridge mode puts network interface in promiscous mode and if it is not allowed,
the solution will not work. For example, this is not possible on any cloud provider.
An existing solutions for VmWare guest to use promiscous mode for network interface
caused many other problems to me, therefore I decide that bridge mode VPN
do not suit for use in VmWare guest.

A LAN network interface that was simply defined in chapter above, should be
configured in different way. Remove all internal interfaces (it was named LAN in previous example):

# nmcli connection delete LAN

Create bridge and assign IP to it, create VLAN interface then attach it to bridge:

You have not have to assign any address at all. If you do not want OVPN server
itself access or be accessible by this VLAN, then no IP required.
But for the first time, it is good to assign any IP to check connectivity.

For some reason, nmcli does not write bridge parameters well in configuration file.
Check it (/etc/sysconfig/network-scripts/ifcfg-BR30) and verify that:

STP=no
DELAY=0

The virtual interface, created by OVPN will be attached to bridge using external script.
You have to put this script to /etc/openvpn/scripts directory to fits selinux rules.